|
HASP HL Time
recently i get a program fully emulated with multikey version 0.18.0.2, i tested and it works well, but after 45 days the program says "Security device is timed out", the partial solution is change the date and it works again. but i think i could change something in the registry to set the date 2 years ahead.
My question is where and in what format i must put the date??? This is the begining of the file: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\MultiKey\Dumps\608D2C50] "Name"="Deco Studio" "Copyright"="2008" "SN"=dword:4f93c6d7 "DongleType"=dword:00000001 "Type"=dword:000000fa <== Is there a manual to know this values?? "Memory"=dword:00000020 "NetMemory"=hex:00,00,00,00,00,00,00,00,00,00,fd,ff "HaspTimeMemory"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,d7,c6,93,4f,00,00,00,00,ff,ff,ff,ff,\ ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff <=== I suppossed here is the date "TimeShift"=hex:00,00,00,00,00,00,00,00 "SecTable"=hex:6c,ae,93,93,a2,a2,93,93 "ColumnMask"=dword:000000eb "CryptInitVect"=dword:0000001c "AesKey"=hex:01,02,03,04,05,06,07,08,09,0a,0b,0c,0d,0e,0f,10 |
My friend if u like I can make a look at ur program if u like ...
just upload it and PM me ... I will try to make it work . |
Quote:
HASP4 M1 : 0x0A HASP4 Time : 0x1A HASP HL : 0xEA HASP HL Time : 0xDA Also, look at last but one byte of NetMemory[] 0xFF : local 0xFE : Net 0xFD : Time Your HaspTimeMemory structure values make no sense. The current time and current date fields are all zeros and the ID field is the same as your serial number. If you want to experiment, the first 3 bytes are the time in BCD secs, mins, hours, and the next 4 bytes are the date in BCD date, month, dow, year. As you guessed, expiry dates are more often stored in the last 16 bytes. TimeShift is a 64bit integer and is the difference between current time and the actual time written to HaspTimeMemory in the units of 100nS and may be worth experimentation. Git |
Thanks, i will experiment!!
|
Can i use the tool timeset for any hasp4 emulator by sataron 2006, to change this values??? because i dont understand very well the Binary Coded Decimal conversion.
another thing, the type FA is for HASP HL Time or should be HASP SRM??? |
My friend : I have finish it-but I have to decide which way I will use .
I think I will make unpack for it ....or I will make a loader for it and I will send it to u . the check for the Time came form the main program ( I mean by the programmer -he who make the check for time not by the code dongle it self ) . note : there are 11 file packed ..at least |
Ans all 11 (or 1111) files will unpack fine when the emulator file is correct. Easiest way to unpack HL shell is to let the emulator do it. Once you unpack it there's a very good chance the dongle is still used anyway, so why reinvent the wheel?
Git |
hehehe no :D...I will just unpack the main file (.exe) which contain the check not else :p . then patch it
and I say I can make a loader for it and finish every thing ... but i like to make it finished |
Better would be to tell us the format that the expiry is stored in in the HaspTimeMemory struct. Or, if you have just bypassed it, send me unpacked main exe (not patched) and IDA file and I will carry on work.
Git |
hehe as u wish my friend ...I will
|
@backdoor_b
I had another program with the same problem. Only thing I needed to be changed was inside the "HaspTimeMemory"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,d7,c6,93,4f,00,00,00,00,ff,ff,ff,ff,\ ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff replace d7,c6,93,4f with 01,02,03,04 and if the rest of the dump is correct already work. Otherwise there could be a byte check inside the datablock which needs to be removed. |
@ahmadmansoor: hope u could make a tutor of how to unpack it. =)
@DCA i will try it !! |
You don't need a tut, it unpacks itself!. Just get that emulator working and you can forget all about ugly patches and unpacking.
Git |
@Git
Unpacking makes your application run quicker. Then use emulator. Depending on hasp protection most simple patch consist of only two patches. No emul needed anymore forever :) |
Until the first service pack or update...
Git |
1 Attachment(s)
my friend Git ...I was talking about unpack just for exe file (main file -DecoStudio.EXE-)
because it has the check ,not other files ( dll files ) . so the check for Time is passed by the programmer him self not by useing dongole Time limit ..it is just in this target I think ...I don't know I am not that experience in dongle -mabye I will ask some newbi quesion later ,so don't find this strange ;) - anyway patch this check is very simple it is just patch jb XXX >>> jmp not esle . anyway work on unpack target protected by "HASP HL Protection V1.X -> Aladdin " ...not easy as well as . anyway I have but a way to to deal with it and this is the IAT just to make other sure that I don't forget this thread ...heheehe :p and the unpack me will send it to u ... anway pls Git ask backdoor_b to send the program to u ..then I will send the unpack to u later ...because -IDA file for exe file- is very big and I can't upload it to u . I have limit upload downlaod, here just for 99 MB :mad: ... the iat has some missing kernel API 3 or 4 ..so I need to find how it hide this API ..when finish I will send the file to u . cya :) |
Many thanks Ahmad. "HASP HL Protection V1.X -> Aladdin " is the shell / envelope tied to the dongle. You can know it is the case usually when you see ".protect" section name. Often this shell/envelope encryption is applied several times on top of each other. Unless you have tools to generate the emulator parameters, it can be a pain to do manually. It is achieved with multiple layers of encryption using the dongle API hasp_encrypt and decrypted during run with hasp_decrypt.
Usual method is to make basic emulator, run target and hasp logger until it puts up error dialog, then save dump as dump01.exe. Search the dump01.exe for input parameter to any of the hasp_decrypt calls in the log. When you find it, search back in the file for non-Unicode string GetTickCount followed by 4 0x00 bytes. Count another 4 bytes and then you have the start of the Q/A pairs block, so if GetTickCount string starts at 0x11F50, block starts at 0x11F64. Copy 0x1000 bytes from that address to a file called, say, pairs01.bin. The first 2048 bytes of that file represent 128 ATable entries for emulator and last 2048 bytes represent 128 corresponding QTable entries. Add those 128 Q/A pairs to the emulator and restart emulator. Much easier if you write a small program to convert pairs.bin to registry entries. Now run application and hasp logger again. Again, it will maybe put up error dialog about Envelope. Again save dump, this time as dump02.exe. Search through dump02.exe for input value of hasp_decrypt call in log. Same as before, search back for GetTickCount, copy 4096 byte block from 8 bytes past GetTickCount to new file pairs02.bin. Add the new 128 pairs to the emulator and restart. This time the application may run, maybe not. Repeat procudure until no Envelope error. You now have emulator covering all envelope hasp_decrypt calls. If the programmer was clever, he has used the API and there will be many hasp_decrypt and hasp_encrypt calls in the program with random parameters and it is almost impossible to emulate. However, many programmers do nothing more than put shell/envelope around program and call it protected. If so, you now have 100% emulation of dongle for that app. Git |
I should add that the hasp_decrypt entry that you use to search the dump should be the last one entered in the log before the application failed. You then ensure you are looking at a Q/A pair that has not yet been found in an earlier layer.
Note for Admin : I still cannot see an Edit button on any of my posts so I have to comment to myself rather than editing the original. Later : OK, I posted that and straight away saw an Edit button!. I think the problem arises if you logout and login again. Git |
Finish it
Ok ....... I have make the easy and the best way to unpack it ,as always :D .
my friend backdoor_b pls can u send the program to Git . I need for him to define which version of "HASP HL Protection V1.X -> Aladdin" so when I write the tut I will put the exact version . Git u have explain the inf very Good :) ...( nice work man ). tomorrow I will send the unpacked file to backdoor_b and Git . note : @Git: about the guy which u told me about it in ur PM . I have note that he put another tut. it is not his tut and it is not my way in unpack this version . anyway I am sorry for this mistake from him . |
guys check ur PM ...
it contain the 2 unpacked files . 1-pure unpacked file 2-Cracked unpacked file so have fun guys |
Thanks, i already send it to git.
|
I'm sorry but where can I find your tut, ahmadmansoor?
|
Good work.
I will try. |
Quote:
will come soon :) for the public ;) |
| All times are GMT +8. The time now is 21:21. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX